lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 11:54:42 +0100
From: Krisztián Pintér <>
To: Solar Designer <>
Subject: Re: [PHC] Native server relief support for password hashing in browsers

Solar Designer (at Sunday, January 19, 2014, 8:54:37 AM):

> I'd say "secure tunnel" is orthogonal to "client-side hashing", as well
> as to "better password hashing" in general.  Any of these are somewhat
> nice to have even without the others, although of course a combination
> of them is usually preferable.

let me add that all PBKDF-s can be naturally and easily extended to
support server relief. all we need is to add a final hashing step:

K = H( PBKDF(pwd, salt) )

the server can request the intermediate result, and do the
hashing only.

also, any PBKDF can be used in advanced schemes, like SRP.

these are all orthogonal to the PBKDF itself.

Powered by blists - more mailing lists